Solved

Nagios nrpe cannot read log file

Posted on 2009-05-12
27
3,075 Views
1 Endorsement
Last Modified: 2012-06-27
I have a Nagios server 3.0.6 running on Ubuntu 8.04 Server.  It is monitoring all things except the one below on multiple targets fine.

On a certain target, I am trying to monitor my /var/log/auth.log file for bad activity, such as failed password attempts, or attempts to login as invalid users, etc.

I am trying to do this via the check_log plugin via nrpe, but, I get a "Log check error: Log file /var/log/auth.log is not readable!" when the server checks on it.

The easiest way I have to reproduce the error is the following manually executed command from the host server:
/usr/local/nagios/libexec/check_nrpe -H target -c check_badpw

I know that it means that the file cannot be opened during the check, but, I don't understand why.

ls -l of /var/log/auth.log:
-rw-r----- 1 syslog adm 1590863 2009-05-12 10:47 /var/log/auth.log

In /etc/groups, I have added the "nagios" user to the adm group, so it should work.

Further, if I am logged in as root on the target, and do "su nagios", I can read /var/log/auth.log

Further, if I "chmod o+r /var/log/auth.log", the command executes properly.

Additionally, when I am logged into the target as root, and su to nagios and execute the command as defined in nrpe.cfg:
/usr/local/nagios/libexec/check_log -F /var/log/auth.log -O /usr/local/nagios/auth.badpasswords.log -q ": Failed password for"
it works fine.

So, I know it will work if I loosen the permissions on /var/log/auth.log, but, I'd prefer to keep them as tight as possible.

How can I determine why the check_nrpe command does not allow for reading of the /var/log/auth.log file on the target machine?
1
Comment
Question by:tomn2tsr
  • 14
  • 9
  • 4
27 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24365484
First of all to thest it use
su - nagios
not
su nagios

because when you do su naigos you don't switch environment.

When you're in su - nagios
use the command
id

to see your user and group settings and try to read file once more.

Cheers,
K.

0
 
LVL 14

Expert Comment

by:Deepak Kosaraju
ID: 24365570
Who is the owner for the nrpe process, can u check nrpe.cfg and make sure nagios is the owner and group is nagios.
0
 

Author Comment

by:tomn2tsr
ID: 24365582
Thanks for that tidbit.  I may have known that at one point, but, I guess I forgot about the "su -" command.

However, that didn't shed light on a solution, at least not to me...

Here's the output

root@target:/usr/local/nagios/libexec# su - nagios
No directory, logging in with HOME=/
$ tail /var/log/auth.log
May 12 11:14:37 xxxx
May 12 11:14:37 xxxx
May 12 11:14:39 xxxx
May 12 11:14:41 xxxx
May 12 11:14:41 xxxx
May 12 11:14:41 xxxx
May 12 11:14:41 xxxx
May 12 11:14:44 xxxx
May 12 11:14:44 xxxx
May 12 11:14:44 xxxx
$ id
uid=5308(nagios) gid=5309(nagios) groups=4(adm),5309(nagios)
$ ls -l /var/log/auth.log
-rw-r----- 1 syslog adm 1790013 2009-05-12 11:16 /var/log/auth.log
$
0
 

Author Comment

by:tomn2tsr
ID: 24365606
kosarajudeepak:

In my nrpe.cfg file:

# NRPE USER
# This determines the effective user that the NRPE daemon should run as.  
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_user=nagios



# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.  
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_group=nagios

So, I think it's good.
0
 

Author Comment

by:tomn2tsr
ID: 24365618
Perhaps I should specify that nrpe is run under xinetd on the target, if that makes a difference.
0
 

Author Comment

by:tomn2tsr
ID: 24365632
And, in /etc/xinetd.d/nrpe, the user and group are both "nagios"
0
 
LVL 14

Expert Comment

by:Deepak Kosaraju
ID: 24365694
what was the setting of don't blame nrpe option in nrpe.cfg
0
 

Author Comment

by:tomn2tsr
ID: 24365726
dont_blame_nrpe=0
0
 

Author Comment

by:tomn2tsr
ID: 24365763
Since you questioned it, I changed it to 1, restarted xinetd, and still had the same problem.
0
 

Author Comment

by:tomn2tsr
ID: 24366627
Here's something else I just found.

As I stated above, after an "su - nagios" on the target system, the output of id returns:
uid=5308(nagios) gid=5309(nagios) groups=4(adm),5309(nagios)

However, if I embed the id command into the check_log script on the target, and execute:
/usr/local/nagios/libexe/check_nrpe -H target -c check_badpw
from the monitoring server, the output of id shows only:
uid=5308(nagios) gid=5309(nagios)

It does not show membership to the adm group as it does above.

So, why does a call through check_nrpe ignore the pertinent data in /etc/group (that being adm contains nagios as a group)?

0
 
LVL 14

Expert Comment

by:Deepak Kosaraju
ID: 24367253
can you copy the content check_log file where you added id command and also the nrpe.cfg definition for check_badpw command.
0
 

Author Comment

by:tomn2tsr
ID: 24367337
check_log:
# If the source log file doesn't exist, exit

if [ ! -e $logfile ]; then
    $ECHO "Log check error: Log file $logfile does not exist!\n"
    exit $STATE_UNKNOWN
elif [ ! -r $logfile ] ; then
    $ECHO "Log check error: Log file $logfile is not readable!\n"
        /usr/bin/id
    exit $STATE_UNKNOWN
fi

nrpe.cfg
command[check_badpw]=/usr/local/nagios/libexec/check_log -F /var/log/auth.log -O /usr/local/nagios/auth.badpasswords.log -q ": Failed password for"
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24368248
Hi, then you can make syslog a member to the nagios gorup instead.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:tomn2tsr
ID: 24368364
KeremE:

Still same problem.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24368429
Another solution would be to run a cron job to collect the information and wirte under a file owned by nagios:nagios and you to read it instead of the audit.log :)

I know it is a dirty solution but anyway :)
0
 

Author Comment

by:tomn2tsr
ID: 24368449
Yea, I could do that.  But, I'm really looking for the answer to why it's not working the way I think it is supposed to work.  There must be something wrong, because, if you wanted to monitor a bunch of secured logs, you'd have to do an awful lot of "dirty" solutions.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24368529
Yeah but another laternative being runinng a SUID / GUID script that I even don't want to think of. It seems that nrpe is just assigning the conifgured user and group id and that it does not run it in system environment and thus obviously not checking the user environment.

May be the best thin to do is just loggig -on the forum and tell the problem to the developpers so that they will fix it for the coming releases.
 
0
 

Author Comment

by:tomn2tsr
ID: 24368574
I will probably do that, if I don't get any other suggestions/solutions here.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24368808
In fact I've got antoher solution. NRPE also allows the use of command prefixing. so that you can run your script with, say, sudo:

Find it here:
# COMMAND PREFIX

# This option allows you to prefix all commands with a user-defined string.

# A space is automatically added between the specified prefix string and the

# command line from the command definition.

#

# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***

# Usage scenario: 

# Execute restricted commmands using sudo.  For this to work, you need to add

# the nagios user to your /etc/sudoers.  An example entry for alllowing 

# execution of the plugins from might be:

#

# nagios          ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/

#

# This lets the nagios user run all commands in that directory (and only them)

# without asking for a password.  If you do this, make sure you don't give

# random users write access to that directory or its contents!
 

command_prefix=/usr/bin/sudo
 

So that you can prefix your script with this and it will work with syslog instead. Of course you might ned to assign proger pervileges in sudoers table.

Open in new window

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24368826
Another one is turning on the nrpe debugging through nrpe config and see what actually happens step-by-step

0
 

Author Comment

by:tomn2tsr
ID: 24368981
That's interesting.

However, I tried that, and, it creates a log entry in auth.log (which is what I am monitoring) complete with the command-line which was excuted.  And, since the command-line contains the search string, the string is always inserted into the log file, therefore, the string is always present at run-time, returning a positive result.

I'm sure I could get rid of the log entry, but II don't really wish to modify the default way that sudo runs either.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24369059
I do't suggest you to modify the dafault way that sudo runs. All I say is you need to configure sudo so that it will allow your string to run as syslog user. I mean you need to configure sudo too it is not enough just to configure nrpe :)
0
 

Author Comment

by:tomn2tsr
ID: 24369111
Right, I understood that both nrpe and the sudoers file would need to be modified, which I did.  

But, doing that, the initial problem went away, and was replaced by an always positive condition, that being, whatever string I was trying to check in auth.log was inserted into auth.log by the execution of the sudo command just before the actual check for the string was made.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24369181
ok it seems that sudo is returning its own status now and preventing the output from the string.
I don't know about your script but does it exit with specific exitcode. i.e., exit for modified and exit for normal termination ??

Another suggestion would be to use a script wrapper in that you'll call a string and it will call the check sudo enabled script and evaluate the result depending on the output ? Say if some string returns exit with status if not just exit?

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24369211
If you can't be able to pass parameters back to Nagios you might as well write the result to a file in temp. Then upon completion you read that file in your wrapping script and set the exit status accordingly.
0
 

Accepted Solution

by:
tomn2tsr earned 0 total points
ID: 24423025
It turns out that /etc/xinetd.d/nrpe needed to contain the line:
groups = yes
so that xinetd would apply the group membership permissions as well.

0
 
LVL 14

Expert Comment

by:Deepak Kosaraju
ID: 24423141
Good Catch! Thanks for posting the Solution Gud luck
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now